Splunk Search

Extracting and Compare Folder Path From CSV

ramuzzini
Path Finder

Hello, working on monitoring if someone has moved a file outside a specific folder inside a preset folder structure on a network using data from a CSV source.  Inside csv, I am evaluating two specific fields used:

     Source_Directory and Destination_Directory

I am trying to compare the two going 3 folders deep in the file path but running into issue when performing my rex command.  Preset folder structure is: "\\my.local\d\p\" pulled from the data set used.  Within the folder "\p\", there are various folder names.  Need to eval if a folder path is different beyond the preset path of "\\my.local\d\p\..." I put in bold what a discrepancy would if there is one. 

Example data in CSV:
  Source_Directory                                                    Destination_Directory
     \\my.local\d\p\prg1\folder1\bfolder            \\my.local\d\p\prg1\folder1\ffolder
     \\my.local\d\p\prg2\folder1                             \\my.local\d\p\prg2\folder2
     \\my.local\d\p\prg1\folder2                             \\my.local\d\p\prg2\folder1\xfolder\mfolder\
     \\my.local\d\p\prg3\folder2\afolder            \\my.local\d\p\prg3\folder2
     \\my.local\d\p\prg2\folder1                             \\my.local\d\p\prg1\folder3

Output query I am trying to create 
  Status           Source_Directory                                                    Destination_Directory
    Same             \\my.local\d\p\prg1\folder1\bfolder            \\my.local\d\p\prg1\folder1\ffolder
    Same             \\my.local\d\p\prg2\folder1                             \\my.local\d\p\prg2\folder2
    Different        \\my.local\d\p\prg1\folder2                             \\my.local\d\p\prg2\folder1\xfolder\mfolder\
    Same             \\my.local\d\p\prg3\folder2\afolder            \\my.local\d\p\prg3\folder2
    Different        \\my.local\d\p\prg2\folder1                             \\my.local\d\p\prg1\folder3

If folder name is different after the preset"\\my.local\d\p\" path I need that to show in the "Status" output.  I have searched extensively on how to use this rex command in this instance with no luck so thought I would post my issue.  Here is the search I have been trying to use. 

Splunk Search

 host="my.local"  source="file_source.csv"  sourcetype="csv"
| eval src_dir = Source_Directory
| eval des_dir = Destination_Directory
| rex src_path = src_dir "(?<path>.*)\\\\\w*\.\w+$"
| rex des_path= des_dir "(?<path>.*)\\\\\w*\.\w+$"
| eval status = if (src_path = des_path, "Same", "Diffrent")
| table  status, Source_Directory, Destination_Directory


Any assistance would be much appreciated.

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
host="my.local"  source="file_source.csv"  sourcetype="csv"
| rex field=Source_Directory "\\\\([^\\\\]+\\\\){3}(?<src_folder>[^\\\\]+)"
| rex field=Destination_Directory "\\\\([^\\\\]+\\\\){3}(?<dest_folder>[^\\\\]+)"
| eval status = if(src_folder = dest_folder, "Same", "Different")
| table  status, Source_Directory, Destination_Directory

View solution in original post

ramuzzini
Path Finder

Thank you.  Was going about that all backwards.  

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
host="my.local"  source="file_source.csv"  sourcetype="csv"
| rex field=Source_Directory "\\\\([^\\\\]+\\\\){3}(?<src_folder>[^\\\\]+)"
| rex field=Destination_Directory "\\\\([^\\\\]+\\\\){3}(?<dest_folder>[^\\\\]+)"
| eval status = if(src_folder = dest_folder, "Same", "Different")
| table  status, Source_Directory, Destination_Directory
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...